MACs and other payers roll out reimbursement relief options as OCR launches investigation. Heads are going to roll — and major penalties are likely going to be levied — thanks to a government investigation into the UnitedHealth Group/Change Healthcare ransomware attack. And it should matter to your agency, even if you aren’t impacted by the attack much, or at all. The UHG cyberattack “that is disrupting health care and billing information systems nationwide … poses a direct threat to critically needed patient care and essential operations of the health care industry,” says HHS Office for Civil Rights Director Melanie Fontes Rainer in a March 13 Dear Colleague letter. OCR oversees HIPAA enforcement. “Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” Fontes Rainer continues. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”
Watch out: “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities,” Fontes Rainer stresses in the letter. That includes “ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.” Enforcing accountability for BAs’ security failures is going to be crucial as security incidents are on the rise, experts say. “Over the past five years, there has been a 256 percent increase in large breaches reported to OCR involving hacking and a 264 percent increase in ransomware,” the Department of Health and Human Services says in a March 13 release about the investigation. “In 2023, hacking accounted for 79 percent of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141 percent increase from 2022,” HHS stresses. HHH MACs Offer Accelerated Payments Meanwhile, affected providers continue to scramble to recover in the face of disrupted billing that has led to cash flow problems. On the heels of an announcement that the Centers for Medicare & Medicaid Services had directed Medicare Administrative Contractors to help affected providers (see HHHW by AAPC, Vol. XXXIII, No. 9), MACs started issuing instructions on how to apply for accelerated payments, switch billing clearinghouses, and more. For example: HHH MAC National Government Services directs providers to use a form at www.ngsmedicare.com/ documents/20124/121641/1770_0324_508.pdf to request accelerated payments associated with the Change Healthcare/ Optum Payment Disruption (CHOPD). “Once our review is complete, we will send a decision letter to the provider requesting accelerated payment using the most expeditious method (e.g., email, facsimile, telephone). As a last resort, we may have to mail a copy of the decision letter,” NGS says in an article about the process. “If the request is approved, the accelerated payments will be processed within five calendar days.” Following the date the payment is granted, “repayment will start immediately through 100 percent recoupment of Medicare claims payments owed to the provider, as claims are submitted and processed,” NGS explains. “Recoupment will continue for a period of 90 days. A demand will be issued for any remaining balance on day 91 following the issuance of the accelerated and advance payment,” the MAC continues. Palmetto GBA has posted its form at www.palmettogba.com/palmetto/providers.nsf/Files/FN-JM-HHH-CHOPD.pdf/$FILE/FN-JM-HHH-CHOPD.pdf and CGS at https:// cgsmedicare.com/pdf/chopd_template.pdf. Caveat: “Providers receiving Periodic Interim Payments are not eligible to receive CHOPD Accelerated Payments,” the forms note. The MACs also review procedures for changing clearinghouse vendors in an expedited manner, submitting electronic claims directly through Direct Data Entry, and submitting paper claims. However, the MACs stress that the payment floor for paper claims is 29 days, versus 14 days for electronic claims. That may matter, since UHG reports it will begin testing a restored system the week of March 18. Through a “thorough forensic analysis … we have identified the source of the intrusion and, with high confidence, have established a safe restore point. This point allows us to move forward safely and securely in restoring our data and systems,” UHG pledges in a release. The government isn’t the only source for reimbursement relief in the meantime, the feds point out. “All affected providers should reach out to health plans and other payers for assistance with the disruption,” the Centers for Medicare & Medicaid Services urges in its latest update on the incident. “CMS has encouraged Medicare Advantage (MA) organizations to offer advance funding to providers affected by this cyberattack,” the agency says. At the feds’ urging, UHG is also providing a “Temporary Funding Assistance Program,” it notes on its webpage about the attack at www.unitedhealthgroup.com/ns/changehealthcare.html. The program helps “providers bridge the gap in short-term cash flow needs via Optum Pay,” it explains. Tip: “Providers who checked to see if they were eligible for the UnitedHealth Group Temporary Funding Assistance Program may want to take a second look. Since March 7, UHG has expanded the list of providers eligible for funds,” trade group LeadingAge recommends. Note: The OCR letter is at www.hhs.gov/sites/default/files/ cyberattack-change-healthcare.pdf.